NOTE: This question is NOT related to the keys and certificates used for iOS development/provisioning.
I would like to use TLS client certificates for authentication of iOS devices running my app. In order to achieve this securely, it would be ideal if the device generated its private key itself and requested a certificate from our in-house CA.
I can't find an API in the docs for doing this, but I can see that iOS supports TLS client certificate authentication, so it seems logical that it would be possible. Can anyone point me in the right direction?
Actually there is objective-c wrapper of Open SSL available. Which can be some help to you. https://github.com/aidansteele/SSCrypto.
You can also use mycrypto( https://bitbucket.org/snej/mycrypto/wiki/Home ) a high level objective-c wrapper for many cryptographic tasks.
Related
Is there a best way to do certificate pinning in iOS to avoid Man in middle attack. Or is there any substitute approach that apple provides to make a secure connection?
Currently I'm using A certificate pining approach where either I've to store the .der file in my app to compare with Server Certificate or as option2 to do SHA1 or MD5 validation. But in this case app need regular updates with change in those certificates.
Is there any other concrete approach that apple provides for SSL /TLS validation.
Any demo code sample will be helpful
Thanks in advance
OWASP provides good information about this topic, including sample code for various OS, including iOS.
AFNetworking provides AFSecurityPolicy class to deal with certificate and public key pinning.
I want to record web requests using fiddler of an iOS7 native app which using https protocol (with trusted certificates) to communicate with server. I could able to record the requests and after Https decryption option disabled and its worked fine. When Https decryption option enabled app shows invalid/untrusted certifificate alert and cannot proceed even after installing fiddler certificate in iOS.
Question is,
Is there any way to record Https request/response of iOS7 app using fiddler by imitating any other certificate as trusted certificate or anyother way to do that? any suggestions? any other tools? I got another solution from here but it was not worked.
Thanks in advance
You need to use the Fiddler Certificate Maker add-on to generate certificates that iOS is willing to trust.
See http://blogs.telerik.com/fiddler/posts/12-12-21/using-fiddler-with-apple-ios-devices for more information.
Also keep in mind that some iOS applications (like the AppStore) use a technique called "Certificate Pinning" which means that you cannot decrypt their traffic seamlessly unless you jailbreak the device.
I am looking for an API which will allow me to check whether MDM profile is installed on a device.
It won't be submitted to AppStore, so private API are fine with me. However, it should work on jailed phone (so jailbreak solutions aren't applicable).
Update 1
I am looking for a way to determine on iOS device whether this device is enrolled (vs checking from MDM server what devices are enrolled).
One solution that I can think of is installing the application through the MDM server (using the ChangeManagementState option to take control of an already install application). This will allow you to set managed app configuration options on the MDM server which the application can read from UserDefaults.
You can see how to do this here: https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf#b3
If you need to verify that the correct MDM server is managing the device and not some random MDM server, you can create some type of signed document that is unique to the device (include the UDID) and signed by a private key unique to the server. The app can then verify this signature with the public key (probably shipped in the app binary since this seems to be a private thing) and determine if the app and device are managed.
The easiest option would probably be something like JSON Web Tokens. There are other options that exist as well: pkcs7, SMIME, CMS, etc.
For example, in the body of the JWT token, you could include the server domain, and the device UDID. This way the device can verify that this signed token is intended for this device and not simply being copied and reused from another legitimately managed device. You could also include a timestamp (and/or expiration) value to require that the token be reissued by the MDM server over some set time interval to ensure that it's recent.
{
"sub": "SOME-DEVICE-UDID",
"iat": 1516239022,
"iss": "mdm.example.com"
}
There are many ways to do this, I am just most familiar with JWT tokens. There are existing JWT libraries for Swift and Objective-C which could be used within your app to verify this token. Then you could be reasonably sure that the device is managed and managed by the intended server.
I have an iOS application that uses certificates for messaging-signing following the Digital Signature Algorithm (DSA). In order to perform this signing, the app needs the certificate as well as the private key associated with the certificate. And, I cannot embed the certificate in the app as my customers need to be able to generate and distribute their own certificates to be used by the app whenever they need. (And, embedding a certificate would constitute a security risk anyway.)
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
PS. We do the same thing on BlackBerry and, there, we use BlackBerry Enterprise Server and APIs on the BlackBerry device to push certificates to the devices in the organization. I'm hoping there's a MDM solution to this for iOS but haven't been able to find anything yet.
Thanks much
You ask:
Does anyone have any thoughts on how I might go about distributing the certificates and private keys?
I'm sorry I don't know enough about your specific situation to tell you exactly how to meet your requirement, but I can tell that's not how it's usually done. Instead the public/private key pair is normally generated on the device, then the public key (only) is submitted with additional data (in a Certificate Signing Request, CSR, for example), to a server (Certification Authority, CA), which generates the certificate and returns it to the requester (and possibly publishes it in a directory).
An important security benefit to this approach is no third party has access to the private key (the CA needs the public key and doesn't need the private key). This is required for non-repudiation (so the device owner can't claim someone got his private key from the central server).
On iOS, there is no straight forward way to distribute a certificate and it's private key to an app. Apple suggests using PKCS12 and provides some guidance in this document: Technical Q&A QA1745: Making Certificates and Keys Available To Your App.
I want to encapsulate UIWebView which can handle both http and https request on ios platform, especially for https, it should handle both trust and unverified (developer defined) certificates. Any open source available to take reference?
Thanks in advance.
Graham Lee discusses some of the things you can do at On SSL Pinning for Cocoa [Touch]. Its about as close as you are going to get to open source - its sample code that shows you how to do it with NSURLConnection and NSURLConnectionDelegate.
Lee's article discusses how to pin a public key, which improves security on the channel. Public Key Pinning is equivalent to StrictHostKeyChecking in SSH. In addition, I believe you can use NSURLConnection and NSURLConnectionDelegate to trust your [otherwise] untrusted certificates (I don't observe the practice, so I'm not sure of the details).
Be careful of lessening (ruining?) the security built into the channel. A survey and analysis of dumb developer decisions was recently published at Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. Its not limited to Android.
Create network connection to handle SSH challenge, untrusted certification.
This bit of code may be of help https://github.com/dirkx/Security-Pinning-by-CA - it does exactly that.